Plugin Default Config Entry
Design doc:
http://directory.fedoraproject.org/wiki/Entry_USN#Plugin_Default_Config_E...
New slapi APIs in libslapd:
int slapi_set_plugin_default_config(char *type, char *attr);
Description: Set given "type: attr" to the plugin default config entry
(cn=plugin default config,cn=config).
Parameters: type - Attribute type to add to the default config entry
attr - Attribute value to add to the default config entry
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
int slapi_get_plugin_default_config(char *type, char ***attrs);
Description: Get attribute values of given type from the plugin default
config entry (cn=plugin default config,cn=config).
Parameters: type - Attribute type to get from the default config entry
attrs - Pointer to the string array to store the values of
the attribute
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
warning: Caller is responsible to free attrs by slapi_ch_array_free
Changes in the Replication plugin:
1) Functions to set replicated attributes
agmt_set_replicated_attributes_from_attr and
agmt_set_replicated_attributes_from_entry
call _agmt_set_default_fractional_attrs to sets the default excluded
attribute list from the plugin default config entry before setting
them from each replication agreement.
To support it, agmt_parse_excluded_attrs_config_attr is changed to be
re-entrant.
2) Fixed a minor memory leak in the fractional attributes (ra->frac_attrs).
3) Added a check for the duplicated fractional attributes.
Changes in the USN plugin:
usn_start calls slapi_get_plugin_default_config to check if "entryusn" is
in the EXCLUDE list of the value of nsds5ReplicatedAttributeList in the
plugin default config entry or not. If it does not exist, the function
adds it. Note: If the nsds5ReplicatedAttributeList value exists and
"entryusn" is not in the EXCLUDE list, we have to append it to the list
instead of replacing it.
Thanks,
--noriko

https://bugzilla.redhat.com/show_bug.cgi?id=518418
Resolves: bug 518418
Bug Description: Package rename shuts down server, results in
unconfigured package
Reviewed by: ???
Files: see diff
Branch: HEAD and 1.2
Fix Description: It occurred to me that using tar and untarring the file
is a tremendous
security hole, with no obvious way to secure it. Therefore, I'm
scrapping that
solution, and going with a solution that uses the built-in lua interpreter.
This also allows me to save the information in a global variable in the %pre
section that I can access in the %posttrans section, which should be very
secure.
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/attachment.cgi?id=358509&action=diff

https://bugzilla.redhat.com/show_bug.cgi?id=518418
Resolves: bug 518418
Bug Description: Package rename shuts down server, results in
unconfigured package
Reviewed by: ???
Files: see diff
Branch: HEAD and 1.2
Fix Description: In the %pre section, check to see if fedora-ds-base
exists. If so, save the run level configuration, restore it in the
%posttrans section, and start the server. Note that this hack is only
needed for Fedora 10 and Fedora 11, so we can get rid of the hack once
Fedora 11 becomes obsolete.
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/attachment.cgi?id=358482&action=diff

https://bugzilla.redhat.com/show_bug.cgi?id=518544
Resolves: bug 518544
Bug Description: large entries cause server SASL responses to fail
Reviewed by: ???
Files: see diff
Branch: HEAD and 1.2
Fix Description: The SASL server code was broken when we switched over to
use NSPR I/O for the SASL IO layer. If the entire encrypted buffer
could
not be sent to the client, the server was just failing. Instead,
the server
must keep track of how many encrypted bytes were sent. If all of the
encrypted bytes could not be sent, we must return the appropriate error
to the caller to let them know the operation would block. The caller in
this case is the write_function() which does a poll() to see if the
socket
is available for writing again, then will attempt the send again.
I also cleaned up usage of the various Debug macros.
Finally, I discovered that the sasl init code was calling
config_get_localhost()
before that value could be set. In most cases, it is ok, because it
will
fall back to the default hostname from the system. However, if for some
reason you want to use a different localhost, it will fail. Now it
will be
in the bootstrap config code.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/attachment.cgi?id=358289&action=diff

https://bugzilla.redhat.com/show_bug.cgi?id=518520
Resolves: bug 518520
Bug Description: pre hashed salted passwords do not work
Reviewed by: ???
Files: see diff
Branch: HEAD and 1.2
Fix Description: Pre-hashed passwords may not use the standard internal
salt length. The old
ldif base64 decode function would return the number of bytes in the
decoded
string - the new NSPR function does not. We can't use strlen on the
decoded
value since it is binary and may contain nulls. The solution is to
use a
function to calculate exactly how many bytes the encode string will have
when decoded, taking into account padding. Since we know exactly
how many
bytes are decoded, and we know exactly how many bytes of that
decoded value
are the hash, the remainder must be the salt, however many bytes
that is.
I tested this code with salt lengths from 1 to 99.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/attachment.cgi?id=358138&action=diff